609
【動手實踐】:Lockdown Profile 的多租戶權限控製
在Oracle Database 12.2 中引入了lockdown profile的新特性,可以用於限製PDB中的某些操作,增強某些操作的安全性。
PDB Lockdown Profiles to Restrict Operations on PDBs Starting with this release, in a multitenant environment, you can use PDB lockdown profiles to restrict functionality available to users in a given PDB.
PDB lockdown profiles enable you to restrict the access the user has to a set of features individually or in a group. This feature is designed to enhance security for situations in which identities are shared among PDBs.
以下通過一個簡單的測試來看看這個特性的基本功能。 首先在CDB下創建一個profile,這個Profile將對全局可用:
SQL> connect / as sysdba
Connected.
SQL> CREATE LOCKDOWN PROFILE enmotech;
Lockdown Profile created.
SQL> ALTER LOCKDOWN PROFILE enmotech DISABLE STATEMENT = ('ALTER SYSTEM');
Lockdown Profile altered.
連接到PDB YHEM,在PDB級別啟用lockdown profile :
SQL> connect sys/oracle@yhem as sysdba
Connected.
SQL> ALTER SYSTEM SET PDB_LOCKDOWN = enmotech;
System altered.
測試一下,可以看到所有的ALTER SYSTEM的操作都被禁用了:
SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> alter system set optimizer_mode = first_rows_1;
alter system set optimizer_mode = first_rows_1
*
ERROR at line 1:
ORA-01031: insufficient privileges
LOCKDOWN PROFILE可以限製到非常細粒度的權限,比如以下限製僅僅限製用戶執行ARCHIVE LOG和CHECKPOINT操作。
SQL> connect / as sysdba
Connected.
SQL> alter lockdown profile enmotech enable statement = ('ALTER SYSTEM')
2 clause all except = ('ARCHIVE LOG', 'CHECKPOINT');
Lockdown Profile altered.
現在測試一下,可以看到在PDB上,限製精確的生效,CHECKPOINT操作不允許被執行:
SQL> connect system/oracle@yhem
Connected.
SQL> alter system set optimizer_mode = first_rows_1;
System altered.
SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges
除了特定的權限,還可以對某些數據庫功能特點進行限製,比如調用和執行UTL_HTTP 和 UTL_TCP 包可能是高風險的,那麼以下的PROFILE設置可以禁用這些特性:
SQL> alter lockdown profile enmotech
2 disable feature = ('UTL_HTTP', 'UTL_TCP');
Lockdown profile altered.
SQL> conn system/oracle@yhem
Connected.
SQL> declare
2 l_request utl_http.req;
3 l_response utl_http.resp;
4 begin
5 l_request := utl_http.begin_request('https://www.enmotech.com');
6 l_response := utl_http.get_response(l_request);
7 end;
8/
declare
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-01031: insufficient privileges
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1127
ORA-06512: at line 5
文章轉自數據和雲公眾號,原文鏈接
最後更新:2017-07-18 10:33:20